Integration and automation let cybersecurity teams do more with less

Release 16 EP4

With the increasing sophistication of cyber-attacks, incident responders need to quickly and efficiently detect and contain threats to reduce the risk of loss or damage. That’s why EnCase Endpoint Security 6 is designed with automation and operational efficiencies as core strengths, to help analysts find and triage security incidents, faster.

Building on this theme, EnCaseEndpoint Security 6.04 – part of OpenText Release 16, EP4 – features enhancements focused on security-first workflows including a fully bi-directional Splunk integration and new Snapshot Compare feature. These capabilities in OpenText’s top-rated Endpoint Detection and Response (EDR) solution provide greater automation and contextualization of security events for faster decision-making and improved security efficacy.

Endpoint Security 6.04 includes a fully bi-directional Splunk integration that enables incident responders to triage their security events from a single-pane-of-glass, or in this case, Splunk. When a security incident is triggered by Splunk, Endpoint Security will automatically scan the target endpoint, conduct reputation analysis, and generate an Event Details report. The bi-directional integration ensures the entirety of data generated within this report, including all processes, DLLs, connections, and DNS, are directly exported to Splunk in compatible TSV files.

This, our latest Splunk integration, provides far more detail than any previous version, including new data on threat intelligence, threat scores, and DNS, among others. Our objective was to provide incident responders with a best-of-breed EDR solution that is fully integrated and flexible so incident responders can triage in their preferred application without juggling multiple security tools.

Compare snapshots to quickly triage security incidents

Endpoint Security 6.04 also includes Snapshot Compare that enables security analysts to quickly conduct efficient root cause analysis. With any given security event, the ability to rapidly compare snapshots from the target endpoint to any other baseline snapshot – whether on the same machine or a different one – can be instrumental for investigations. Snapshot Compare automatically excludes all identical data points and only displays new or missing processes or connections, enabling incident responders to quickly identify the potential cause for the alert.

Whether these alerts are generated by Endpoint Security (via its anomaly detection rules) or fired through a SIEM application, the ability to easily conduct root cause analysis with contextualized snapshot data is highly useful for any incident responder. Moreover, the new UI/UX for this feature ensures maximum ease-of-use that will become evident at first use.

Automate security operations to minimize risk

In addition to these enhancements, users of EnCase Endpoint Security 6.04 can now group processes and connections in new ways to search for relevant data. Having an EDR solution that is specifically designed to automate workflows and augment user capabilities dramatically decreases the cost, complexity, and time associated with traditional root cause investigations. This, in turn, mitigates both known and unknown risks and reduces the likelihood of an organization making headline news for a data breach.

It’s time to empower security teams to do more with the powerful integrations and automations enabled by EnCase Endpoint Security.

See EnCase Endpoint Security in action at Enfuse 2018, the largest gathering of cybersecurity, eDiscovery and forensic investigations professionals!

Charles is a Senior Product Marketing Manager responsible for the EnCase Forensic Security suite of products. He brings almost ten years of product management and marketing experience, with advanced degrees in both law and business. He writes about market trends, industry challenges, and solutions in the areas of cybersecurity, risk management, and compliance.